Passwords: A Leaky Defence in a Dangerous World

By Andrew Shikiar, Executive Director and Chief Marketing Officer at FIDO Alliance

Nations and businesses rely on digital technologies to deliver citizen services, scale, and grow. This reliance has only grown amidst COVID-19, where remote working and home-based learning have become a new norm.

Unfortunately, also growing are cybercriminals trying to exploit this crisis by seeking out organizations relying only on password authentication and launching phishing and other attacks aimed at stealing those credentials. Often, even a single breach can result in millions of credentials released to the public and the dark web — 8.4 billion records were exposed in the first three months of 2020 alone, a whopping 273 percent increase compared to Q1 2019. Now is the time for corporations to secure their employees, applications and data further and provide better authentication methods, because passwords are simply not doing the trick anymore.

Passwords are becoming increasingly vulnerable to attacks

Companies are trying to make passwords more secure, through measures like mandating complex passwords and regular resets. However, this has also led to passwords becoming difficult to manage, and even less secure especially with poor password habits such as making minor variations to the same password, and reusing the same password on multiple accounts.

An online security survey conducted by Google, for example, showed that two in three people recycle passwords. As credential theft continues to rise, such habits magnify the threat of an account takeover, as just one leaked password can put all other accounts at risk.

While it is practically impossible to remember all unique passwords we have created for various accounts we are signed on to, there are certainly other methods we can look to for better security.

Plugging authentication gaps with new approaches

Many organizations are looking at new standards that utilize public key cryptography to offer simpler and stronger authentication.

For a start, it is convenient and offers a better user experience. The authentication is done by the user’s device proving to the service that it possesses a private ‘key’ – typically, a long string of random numbers. Security is further ensured, because the client’s private keys can be used only after the device is unlocked by the user, using simple actions such as a fingerprint unlock, a PIN entry, speaking into a microphone, inserting a second–factor device or pressing a button. This offers a more seamless experience for the user as it removes the need to remember complex passwords and leverages devices they already have — mobile phones, PCs, etc.

More importantly, public key cryptography offers a layer of security that passwords lack. Passwords can be guessed, stolen, or hacked. But key cryptography mitigates that risk, by separating the information into two separate segments – or keys.

The first part is the public key. This is obtained when a user registers with an online service, where specific information – such as an authorized email or mobile phone number – will be registered with the online service as the public key. These public keys are then used to verify its counterpart – the private key – in a two-step authentication method that ensures that identities are verified, guarding the information from unauthorized revelation and access.

Becoming the industry standard

Increasingly, businesses and public sector organizations are switching to advanced public key cryptography techniques, over password authentication, because they help to create a more seamless and secure experience for users. For example, companies like Google use FIDO standards within their multi-factor integrated solution, which eases the login process and simultaneously makes it harder for hackers to steal information. This allows users to have a more consistent experience across all their devices and offers them more control during their logins.

The authentication method was created according to the standards developed by FIDO Alliance, which sets standards that enable phishing-resistant, password-less, and multi-factor authentication. Private keys or any information on the authentication method cannot be tracked by hackers and the information never leaves the local device. They also improve online experience by making strong authentication easier to implement and use.

The value in moving towards a password-less future has become apparent. At present, biometrics, such as fingerprint verification, are the most accessible authentication option for smartphones. Methods like entering a pin and speaking into a microphone are also available to gain access to the account. Reducing the use of passwords has now become natural progress for the industry.

Securing a password-less future

The world is moving towards a future when passwords will be a thing of the past. However, this is just the beginning. While our digital dependence seems to have hit its peak now, increasing one’s cybersecurity stance is timeless. The only question that remains now is the readiness of businesses and organisations to embrace this shift, and ultimately, to keep up with the need to strike the balance between security and usability.